MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 712b20b9ed52d72b38f0c5074e7b3a9bbc5b6aabe73baa60e254ae436dedb25b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 712b20b9ed52d72b38f0c5074e7b3a9bbc5b6aabe73baa60e254ae436dedb25b
SHA3-384 hash: 7b0ff952bf176d6653a7a0d49d07c3f7822ee1c06d77991e25b6f6f397a988d9bb3c8fb39802257569f0ce7102f45a9b
SHA1 hash: d1d80cc96dbaeefa66f914a6ba80a5c0ef395be1
MD5 hash: f0433425c4420a92c25d2a1913389bf9
humanhash: magnesium-north-december-delta
File name:71649035_Invoice_Receipt.exe
Download: download sample
Signature NanoCore
File size:1'379'328 bytes
First seen:2020-06-18 05:28:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7
ssdeep 24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaqZiTxFF9K6Di4vWPvveJHb5:oh+ZkldoPK8YaqKbzWPvWf
TLSH 3955CE02B391D035FFAB92739B6AB64196BD7D250133852F13983E79B9701B1273E263
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
NanoCore RAT C2:
omojune.duckdns.org:8090 (185.165.153.45)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
33
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Tiggre
Status:
Malicious
First seen:
2020-06-16 22:35:33 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore evasion
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
Extraction:
omojune.duckdns.org:8090

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 712b20b9ed52d72b38f0c5074e7b3a9bbc5b6aabe73baa60e254ae436dedb25b

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments